Spam Back on the Rise with Srizbi Resurrected

It seems however that the spam was emanating from a zombie network and the control servers were hosted by McColo, the creators of the botnet (Srizbi) were smart about it though and built a fail-safe system into the the malware.

It should be expected that spam will return to normal levels within a week or so.

On Nov. 11, the Internet servers used to control the Srizbi botnet were disconnected when a Web hosting firm identified by security experts as a major host of organizations engaged in spam activity was taken offline by its Internet providers.

Turns out, Srizbi’s authors had planned ahead for such a situation by building into each bot a fail-safe mechanism in case its master control servers were unavailable: A mathematical algorithm that generates a random but unique Web site domain name to check for new instructions and software updates.

With such a system in place, the malware authors can regain control over the bots merely by registering the Web site names that the infected machines are trying to visit and placing the instructions there.

It seems to be a pretty advanced piece of malware, it acts as a rootkit so it’s hard to remove, it’s has a Python mailing component which allows 3rd party access – this makes it very probably the botnet is ‘rented’ out to spam houses. It also pretty powerful on the network level as it can directly attach NDIS and TCP/IP drivers to its own process to hide network traffic it generates.

Some claim Srizbi is the largest botnet and is responsible for over half of the spam being produced globally, so this is a worrying turn of events.

According to FireEye, a security company in Milpitas, Calif., that has closely tracked the botnet’s actviity, a number of those rescue domains were registered Tuesday evening, apparenly directing at least 50,000 of the Srizbi-infected machines to receive new instructions and malicious software updates from servers in Estonia.

FireEye senior security researcher Alex Lanstein said he fully expects spam volumes to recover to their pre-Nov. 11 levels within a couple of days.

“Srizbi was the spam king,” Lanstein said. “And now it’s back.”

Seen as though the main activity is happening in Eastern Europe it seems unlikely anyone will be able to stop it and due to the very nature of botnets (completely distributed) IP blacklisting is futile as the mail could be coming from anywhere.

Anyhow it’ll be an interesting story to watch and I hope there are some new developments in taking these botnets out.